In the Integrations section of your PhishER Settings, you can view and manage integrations with your mail server, the third-party integrations supported by PhishER, and the integration with your KSAT console.

Mail Servers

The Mail Servers subtab displays the mail servers connected to your PhishER platform. From this subtab, you can connect and manage your Microsoft 365 and Google Workspace mail server instances. After you connect your mail server instances on this subtab, you can enable PhishRIP or the PhishER Blocklist for your platform.

Once you connect a mail server to a feature on your PhishER platform, you can edit and test the connection. If you update a mail server instance, the instance will automatically update across your PhishER platform. You can also connect mail servers from the Blocklist or PhishRIP subtabs of your PhishER Settings.

To learn how to connect and manage mail servers, see the subsections below.

Connecting a Microsoft 365 Mail Server

To connect a new instance of your Microsoft 365 mail server, follow the steps below:

1. Log in to your PhishER platform.
2. Navigate to Settings > Mail Servers.
3. If you would like to connect to PhishRIP, click New PhishRIP Connection and follow the steps in the Enabling for Microsoft 365 section of our How to Use PhishRIP article. If you would like to connect to the PhishER Blocklist, click New Blocklist Connection and follow the steps in the Blocklist section of this article.

Connecting a Google Workspace Mail Server

To connect a new instance of your Google Workspace mail server, follow the steps below:

1. Log in to your PhishER platform.
2. Navigate to Settings > Mail Servers.
3. Click the New PhishRIP Connection button and follow the steps in the Enabling for Google Workspace section of our How to Use PhishRIP article.

Managing Your Mail Servers

Once you connect a mail server instance, it will display on the Mail Servers page. If you edit or delete a mail server instance, the changes will automatically apply to your PhishER platform. If you disconnect an instance, it will continue to display on the Mail Servers page until you delete it or reconnect it.

To learn more about the settings on the Mail Servers page, see the screenshot and list below.

1. New PhishRIP Connection and New Blocklist Connection: You can click these buttons to add a new mail server instance or reconnect a disconnected instance. For more information about connecting an instance, see the above subsections of this article.
2. Pencil icon: You can click this icon to customize the name of a mail server instance.
3. Test PhishRIP Connection: You can click this link to confirm that a mail server is connected to your PhishER platform. The date and time of when the connection was successfully tested will display next to the link. User Mailboxes Scanned will display the number of mailboxes scanned when the connection was tested.
4. Funnel icon: You can click this icon to open the User Mailboxes Selection pop-up window. In the pop-up window, you can enter email domains or regular expressions in the fields to indicate the user mailboxes that PhishRIP can scan. For more information, read the User Mailboxes Selection section below.
5. Disconnect PhishRIP and Disconnect Blocklist: You can click these buttons to disconnect a mail server from PhishRIP or the PhishER Blocklist.
6. Trash can icon: You can click this icon to delete a disconnected mail server instance.

Selecting User Mailboxes

After the first PhishRIP query is run, your mail server instance will display a funnel icon. You can click the icon to open the User Mailboxes Selection pop-up window. This pop-up window displays the email domains or regular expressions that indicate the user mailboxes that PhishRIP can scan. You can enter email domains in the Domain Scan List field or enter regular expressions in the Regular Expression Scan List field. Enter each value on a separate line. Then, click Save to save your changes. PhishRIP queries will only search in mailboxes of users who have a matching domain or regex string from the lists. If you want PhishRIP queries to search in all the available user mailboxes, remove all entries from both fields.

Blocklist

From the Blocklist subtab, you can enable the PhishER Blocklist feature. This feature helps your mail server prevent malicious or spam emails from reaching your users’ inboxes. With this feature, you can block emails from senders, domains, URLs, and file hashes.

If you have a PhishER Plus subscription, you can also enable the Global Blocklist feature, which connects your mail server to a blocklist managed by KnowBe4's Threat Research Lab. If you enable the Global Blocklist and PhishRIP in your platform, you can enable the Global PhishRIP feature to remove email threats from your user's inboxes using the Global Blocklist. For more information about these features, see our How to Use the Global Blocklist and How to Use Global PhishRIP articles.

To enable your blocklist, follow the steps below:

1. Log in to your PhishER platform.
2. Navigate to Settings > Blocklist.
3. Click the Connect to Microsoft 365 button. This button will take you to the Microsoft 365 login page.
4. Once you have logged in, the Permissions requested Accept for your organization pop-up window will display. Once you've read the permissions, click the Accept button.
5. Turn on the toggle next to Disabled.
6. From the Blocklist Entry Duration drop-down menu, select the amount of time that you would like entries to remain on your blocklist. A duration of 60 days is selected by default.
7. Click Save.

Once the PhishER Blocklist is enabled, a block icon will display in the navigation panel on the left side of your PhishER platform. You can click this icon to access your blocklist.

After you enable the PhishER Blocklist, you will need to assign the Exchange Administrator role to the PhishER Blocklist application to authenticate it.

To assign the Exchange Administrator role to the application, follow the steps below:

1. Log in to the Microsoft Entra admin center using your admin credentials. You must have at least a Privileged Authentication Administrator role.
2. Navigate to Microsoft Entra ID > Identity > Roles & admins > Roles & admins.
3. Click the Exchange Administrator role name and click Add assignments.
4. In the search bar, enter "PhishER Blocklist" and click Add.

Once you’ve completed the steps above, you can add and manage blocklist entries. For more information about using your blocklist, see our How to Use the PhishER Blocklist article.

CrowdStrike

From the CrowdStrike subtab, you can configure your integration with CrowdStrike Falcon Sandbox. CrowdStrike Falcon Intelligence is a threat intelligence service that combines with the Falcon Sandbox to analyze files and URLs for malicious content. To integrate the CrowdStrike Falcon Sandbox with PhishER, you must have a PhishER Plus subscription and an active CrowdStrike Falcon Intelligence subscription. If you do not have a CrowdStrike subscription, you can purchase one on CrowdStrike’s website.

For more information about integrating CrowdStrike with your PhishER platform, see our How to Integrate CrowdStrike with Your PhishER Platform article.

VirusTotal

From the VirusTotal subtab, you can configure your integration with VirusTotal. VirusTotal is a service that uses over 70 antivirus scanners to inspect and analyze files for malicious content. To integrate your VirusTotal account with PhishER, you must have an active VirusTotal license key. If you do not have a VirusTotal account, you can join for free on VirusTotal's website.

For more information about integrating VirusTotal with your PhishER platform, see our VirusTotal and PhishER Integration article.

Threat Intel

From the Threat Intel subtab, you can configure your integration with Threat Intel. Threat Intel uses Webroot’s BrightCloud Web Classification & Web Reputation Service to analyze URLs. To configure Threat Intel with your PhishER platform, you must have a PhishER Plus subscription. For more information about integrating Threat Intel with your PhishER platform, see our Integrate Threat Intel with Your PhishER Platform article.

Syslog

From the Syslog subtab, you can configure the Syslog servers connected to your PhishER platform. System Logging Protocol, or Syslog, is a protocol that generates logs for network devices or servers. You can integrate Syslog servers with your PhishER account to log when PhishER actions are triggered.

For more information about integrating Syslog servers with your PhishER platform, see our How to Integrate Syslog with Your PhishER Platform article.

Webhooks

From the Webhooks subtab, you can configure the webhooks connected to your PhishER platform. A webhook, also known as an HTTP push API, allows applications to provide other applications with information in real time. You can receive a callback based on a PhishER action that is attached to a message.

For more information about configuring webhooks for your PhishER platform, see our How to Create and Manage Webhooks in Your PhishER Platform article.

Cyren Inbox Security (CIS)

When using Cyren Inbox Security (CIS), you have the option to send scanned or reported emails to your PhishER platform. For more information about this feature, see our Cyren Inbox Security (CIS) Integration article.

KSAT Console

From the KSAT Console subtab, you can configure your integration with your KSAT console to update events on KSAT User Timelines. If you have a Platinum or Diamond-level subscription, you can use the KSAT integration option to see two types of events on your users' KSAT User Timelines. The first event is the disposition of the messages that your users have reported with the Phish Alert Button (PAB). The second event is the disposition and location of a message that PhishRIP has quarantined.

For more information about the settings on the KSAT Console subtab, see the screenshot and list below:

1. User Event API Key: This field displays the last four characters of your User Event API Key. To update this field, click Update Key. In the Update Key pop-up window that opens, enter your User Event API Key in the New User Event API Key field and click Save.
   Note:You can find your User Event API Key in the User Event API section of your KSAT Account Settings.
2. Send Events to KSAT via PhishER Actions: Select this check box to enable the Send to KSAT option for PhishER actions. You can use this option to send information to your KSAT console when users report a message with the PAB.
3. Automatically send PhishRIP Events to KSAT Console: Select this check box to send information to your KSAT console when PhishRIP quarantines a message. The event on your User Timelines will display the message’s disposition and the location where it was found in the user's inbox.
   Note:You must enable PhishRIP to use the Automatically send PhishRIP Events to KSAT Console integration feature. Leaving the Automatically send PhishRIP Events to KSAT Console check box deselected will not prevent you from seeing the disposition of reported emails on the KSAT User Timeline.
4. Exclude emails from Sent, Spam, Deleted, and Quarantine folders: Select this check box to exclude information from emails that were found in your users’ Sent, Spam, Deleted, or Quarantine folders.
5. Send PhishRIP events to KSAT when the Source of the PhishRIP query is labeled as: You can select specific dispositions if you would like to send information about messages that received a specific disposition only.
6. Save: Click this button to update your KSAT integration settings.